Net gains for credit card thieves

When career criminal Willie Sutton was asked why he robbed banks he famously said: "Because that's where the money is."

In the same way ask any criminally minded hacker why they target large retailers like TK Maxx and they would doubtless reply: "Because that's where the credit card numbers are."

These numbers are the oil that keeps the wheels of the net's underground economy rolling.

Some write viruses to try to steal them from PCs, phishing gangs try to dupe people into handing them over, and some try to find a way into the databases of big retailers.

The reasons are obvious. Setting up a phishing scam or a virus run is complicated. Get it wrong and months of effort can be wasted.

By contrast, a hacker only needs to crack open the database inside one big retailer to make a big score - potentially the biggest ever in the case of TK Maxx.

Numbers game

At the moment it is not clear what exactly happened to TK Maxx and how the hackers got in and how they maintained access for almost two years.

The company has played down the breach saying that the numbers of perhaps as many as two-thirds of the 45 million debit and credit cards stolen have now expired.

Despite this, US police have charged six people in Florida for using credit card numbers stolen from TK Maxx.

Those arrested are not thought to be the hackers behind the TK Maxx breach, not least because the net's criminal underground is divided by specialism. Some do the hacking, some handle the credit card data and some launder the cash.

TJX HACKING TIMELINE

18 December 2006 - TJX discovers the breach in security

Within days it hires outside investigators and notifies US federal authorities

19 January 2007 - Publicly admits the problem, but not the full extent

The big problem that the hackers might have had is in getting rid of all those credit card numbers.

Virus and phishing runs tend to grab details from tens of thousands of people. Any more and the hacking gangs would be swamped with data and be unable to process it before it became useless.

Selling off the huge number of credit card numbers stolen from TK Maxx does not seem to have lowered the average online price for this data according to the security researchers the BBC News website contacted.

"Things have remained mostly the same with regards to the price card details are going for," said Chris Boyd, director of Malware research at Facetime Security.

Lance Spitzner, head of the honeynet project which monitors the net underground, said: "There is such a vast amount of credit card and identity theft already happening that I doubt even something of this magnitude will have a big impact."

Cash out

What is also clear is that the TK Maxx hackers did not get all the data in one swoop. They stole it over a long period of time and may have parcelled it out to maximise their return.

Criminals covet detailed credit card data

Statistics gathered by Symantec suggest that, if all the numbers were sold, the hackers could have made a huge profit from their theft.

Monitoring the underground bulletin boards and chat rooms where credit card data is bought and sold has led Symantec to believe that a credit card number along with its security code is worth up to $6 (£3).

Andrew Moloney, financial services market director for RSA, said there was a real hierarchy of credit card numbers with more complete information commanding a premium price.

"There's a market for whatever you can get," he said. "The fuller the information, the more valuable it is in the market, as it broadens the ways in which such information can be used, and where."

For a credit card number including CVV number, PIN, limit, name and home address, a hacker could expect as much as $18 (£9).

While TK Maxx is not entirely sure what information it lost, it believes that only card numbers were stolen rather than all the accompanying data that makes them so valuable.

But, said Chris Boyd, even such low-level data could lead to far bigger things.

"For the more organised groups out there, card details are the first rung on the ladder anyway because they'll trade them in for PayPal accounts linked into EBay stores," he said.

"Many EBay sellers tend to let their earnings accumulate over a long period of time," said Mr Boyd, "and if you get access to just one of those, you could potentially grab a lot more money in one go than you could ever hope to obtain from a person's bank account."

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.